What Is Big Game Hunting? Ransomware's Biggest Targets

A ransomware crew does not spray a hospital network with a mass-mailed payload and hope a receptionist clicks. They buy access to it. They spend days inside, quietly, mapping the domain, stealing the backups offline, and identifying the file servers that run the emergency room. Only then, often at 3 a.m. on a holiday weekend, do they push encryption to every host at once and leave a note demanding eight figures. The victim was chosen on purpose because it can pay, and because every hour of downtime costs it more than the ransom.

That is big game hunting. It is the opposite of opportunistic ransomware. The attacker picks a large, high-value target, breaks in, escalates, and detonates ransomware as the final move of a hands-on intrusion, not the first move of an automated worm.

This guide covers what big game hunting is, why it became the dominant ransomware model, how a BGH attack runs stage by stage, who carries it out, and how a defender detects and limits it before the encryption fires.

What is big game hunting?

Big game hunting (BGH) is a type of cyberattack, usually delivered through ransomware, that targets large, high-value organizations or high-profile entities chosen for their ability to pay a large ransom. CrowdStrike, the firm that coined the term, defines it as an attack that "usually leverages ransomware to target large, high-value organizations or high-profile entities." Victims are selected on their financial capacity and their likelihood to pay, either to restore operations or to avoid the reputational damage of leaked data.

The "big game" framing is deliberate. Instead of hunting many small, random targets, the adversary stalks one large, lucrative one. Common prey: large corporations, financial institutions, utilities, healthcare systems, government agencies, and any organization holding sensitive intellectual property or personal data. These victims share two traits an extortionist cares about. They have the cash to pay a multi-million-dollar demand, and they have operations so critical that extended downtime is unthinkable, which is exactly the pressure that makes them pay.

The defining trait is that BGH is targeted and human-operated. A commodity ransomware infection is opportunistic and automated: a single user opens a malicious attachment, one machine is encrypted, the demand is a few hundred dollars. BGH is the inverse. A human operator selects the target, gains access, and spends time inside the network conducting hands-on intrusion before deploying the ransomware deliberately across the whole environment.

Big game hunting vs commodity ransomware

The two share a payload and almost nothing else. The table below is the practical difference a defender feels.

The last row is the one that matters most. Commodity ransomware gives you nothing to catch; the encryption is the attack. BGH hands you a window of days during which the attacker is still moving, still stealing credentials, still staging data, and not yet encrypting. That window is where the entire defensive opportunity lives.

How a big game hunting attack works

A BGH attack runs as a hands-on intrusion that ends in ransomware, not a single automated event. The stages below are the common shape, though the order and tooling vary by crew.

The visual that follows traces one run of that chain, from purchased access to the final push.

1. Initial access. The operator gets in, often by buying a foothold from an access broker, phishing an employee, exploiting an unpatched internet-facing service, or abusing valid credentials. Many crews never breach the target themselves; they purchase the access that someone else already gained.
2. Establish foothold and persistence. They deploy a backdoor or command-and-control implant so the access survives a reboot or a closed laptop. Losing the foothold mid-operation means starting over.
3. Privilege escalation and credential theft. They harvest credentials from memory and escalate toward domain administrator, the level of control needed to push ransomware everywhere at once.
4. Lateral movement and reconnaissance. Using stolen-but-valid credentials and legitimate remote-administration tools, lateral movement takes them host to host, mapping the network and locate the file servers, databases, and backup systems that matter.
5. Find and neutralize the backups. Before encrypting, mature crews locate and delete or encrypt the backups, including offsite and cloud copies. A victim who can restore does not pay.
6. Data exfiltration. They steal sensitive data and copy it out before encryption. This is the leverage for the second extortion threat: pay, or we publish.
7. Ransomware deployment. With domain control, backups gone, and data stolen, they push the ransomware to every reachable host simultaneously and drop the ransom note. The encryption is the last act, not the first.

The pattern is a deliberate campaign. Everything before step 7 is a normal-looking intrusion, which is both why it is hard to spot and why it is the defender's only chance.

Double and triple extortion

Encryption alone stopped being enough leverage once organizations got better at backups. So BGH crews added pressure.

Double extortion steals the data before encrypting it. Now the victim faces two threats: their systems are locked, and their stolen data will be published on a dedicated leak site (DLS) unless they pay. Even a victim with perfect backups, one who can restore without paying for a decryptor, still has to weigh the cost of a public dump of customer records, contracts, or source code. The leak site is the whole point. CrowdStrike reported a 76% increase in victims named on BGH dedicated leak sites between 2022 and 2023.

Triple extortion adds a third layer: harassing the victim's customers, partners, or patients directly, threatening to leak their personal data, or hitting the victim with a denial-of-service attack to compound the pressure. The goal is always the same. Remove every reason not to pay.

Ransomware-as-a-Service: the engine behind BGH

Big game hunting scaled because the work got divided. Ransomware-as-a-service (RaaS) leases ransomware to affiliates much as legitimate software is leased as a subscription. The operators build and maintain the malware, the leak site, and the payment infrastructure; the affiliates do the breaking in and the deploying, and the two split the proceeds.

That division of labor is why BGH is so prevalent. An affiliate does not need to write malware; they need to get into a network. A specialized access broker does not need to deploy ransomware; they just sell the foothold. The result is an efficient criminal supply chain in which each participant does one thing well, and the barrier to running a high-value ransomware operation drops sharply.

CrowdStrike tracks the major operators by name. CARBON SPIDER ran the DarkSide RaaS. PINCHY SPIDER ran REvil. Russian-affiliated operators run LockBit, one of the most prolific RaaS families. The named-adversary framing matters for defenders: knowing which crew is active, and the tradecraft it favors, is the difference between a generic alert and an attributed, actionable one. This is where cyber threat intelligence earns its keep.

Why big game hunting is hard to detect

The hard part is that everything before the encryption looks legitimate. The attacker is not running obvious malware; they are logging in with stolen-but-valid credentials and using the same remote-administration tools real admins use every day. There is no exploit signature on a pass-the-hash logon and no malicious file when PsExec runs, because an administrator runs PsExec too.

CrowdStrike's 2026 Global Threat Report found that 82% of detections in 2025 were malware-free, meaning the activity rode on legitimate tools and credentials rather than files an antivirus could flag. That breaks the controls built for commodity threats. Signature antivirus sees nothing. The perimeter firewall sees nothing, because the movement is internal, east-west, never crossing the boundary it watches.

Speed compounds the problem. The same report put the average eCrime breakout time, the time from initial access to the first lateral movement, at 29 minutes, with the fastest recorded run at 27 seconds. Once an operator is in, the window to contain them before they spread is short, and getting shorter.

How to detect and defend against big game hunting

The whole defensive strategy follows from one fact: in BGH, the ransomware is the last step, so the goal is to catch the intrusion in the days before it. You are hunting the human in your network, not the payload.

• Endpoint detection and response. The hands-on activity, the credential dumping, the remote execution, the backup deletion, lives on the endpoints. Endpoint detection and response records the process and logon behavior that exposes an operator moving toward domain control, and it is the single highest-value control against BGH.
• Detect the lateral movement. The attacker has to traverse the network to reach domain control and the backups. Watch authentication for the patterns it creates: an account logging into systems it never touches, a single account hitting many hosts fast, NTLM where Kerberos is expected. Each hop of lateral movement is a chance to be seen.
• Protect identity and credentials. Multi-factor authentication, least privilege, and tiered administration make the credential theft and escalation that BGH depends on expensive and noisy. An operator who cannot reach domain admin cannot push ransomware everywhere.
• Harden the entry points. Patch internet-facing services, lock down remote access, and train staff against phishing, the foothold a broker would otherwise sell. Closing the front door is cheaper than evicting an operator who is already inside.
• Protect the backups. Keep offline, immutable, tested backups that an attacker with domain control cannot reach or delete. Backups the adversary cannot destroy remove the leverage of the encryption itself, though not of the data-leak threat.
• Feed threat intelligence into detection. Knowing which crews are active and the tradecraft they favor turns raw telemetry into attributed detections, and lets a hunt look for the specific behaviors a named affiliate uses.

The unifying skill is proactive hunting against a known baseline. An analyst who knows what normal authentication and process activity look like can spot the one logon that does not belong, in the days before the ransom note, which is the only time the outcome is still in the defender's hands.

Frequently asked questions

What is big game hunting in cybersecurity?

Big game hunting is targeted ransomware against large, high-value organizations chosen for their ability to pay a large ransom. Unlike automated commodity ransomware, it is human-operated: an attacker breaks in, spends days moving through the network, steals data, neutralizes backups, and then deploys ransomware across the whole estate as the final step.

How is big game hunting different from regular ransomware?

Regular, or commodity, ransomware is opportunistic and automated. It encrypts whatever machine clicks a malicious link and demands a small ransom. Big game hunting is deliberate and hands-on: a specific high-value target is selected, an operator gains access and escalates to domain control, and the ransomware is detonated across the entire environment for a six- to eight-figure demand.

What is double extortion in big game hunting?

Double extortion is when the attacker steals sensitive data before encrypting it, then threatens to publish that data on a leak site unless the ransom is paid. This pressures even victims who have good backups, because restoring their systems does not stop a public dump of their stolen data. Triple extortion adds a third layer, such as harassing the victim's customers or launching a denial-of-service attack.

Why do attackers target large organizations for ransomware?

Because they can pay and they cannot afford downtime. Large corporations, hospitals, utilities, and government agencies have the cash for a multi-million-dollar ransom and operations so critical that extended outages are unthinkable. That combination of financial capacity and pressure to restore quickly is exactly what makes them likely to pay.

How do you defend against big game hunting?

Catch the intrusion in the days before encryption. Deploy endpoint detection and response to spot hands-on activity, monitor authentication for lateral movement, protect identities with multi-factor authentication and least privilege, harden internet-facing services and train against phishing, and keep offline, immutable, tested backups an attacker cannot delete. Threat intelligence on active crews turns raw telemetry into attributed detections.

What is ransomware-as-a-service (RaaS)?

Ransomware-as-a-service leases ransomware to affiliates much like legitimate software is sold by subscription. The operators build and maintain the malware, leak site, and payment infrastructure; affiliates handle breaking in and deploying, and the two split the proceeds. RaaS is the engine behind big game hunting because it lets specialists each do one part of the attack, lowering the barrier to running a high-value ransomware operation.

The bottom line

Big game hunting is targeted, human-operated ransomware aimed at organizations chosen because they can pay. The encryption everyone associates with ransomware is the final act of a deliberate intrusion: buy or breach the access, escalate to domain control, steal the data, delete the backups, then detonate. Double and triple extortion and the ransomware-as-a-service economy made the model both more profitable and more accessible.

For a defender, the lesson is where to look. The ransom note is the end of the story, and by then the options are bad. The whole opportunity is in the quiet days before it, when an operator is moving through the network looking like an administrator. Catch that movement, protect the identities and backups it targets, and a big game hunt ends as a contained intrusion instead of an enterprise-wide disaster.